According to reports the theft was national in scope, involving the magnetic stripe “track data” containing private information. It could allow thieves to create counterfeit cards.

U.S. Secret Service spokesman Brian Leary confirmed the agency is investigating a credit and debit card data theft at Target stores, but declined to provide further details.

The breach comes at a disastrous time for Target and its customers, arriving during the final hectic shopping week before Christmas. Target has 1,797 stores in the U.S. and 124 in Canada.

Advertisement

Officials from the Minneapolis-based corporation did not respond to repeated inquiries Wednesday.

And American Express spokeswoman Marina Norville confirmed, “We are aware of the incident,” adding that the company is “working with Target, but it’s an ongoing investigation, so there’s not a lot to say at this point.”

The breach is said to have begun during the hectic Black Friday shopping weekend, and lasted another week or two, according to a report from Krebs On Security, a blog by former Washington Post reporter Brian Krebs, who writes about cybercrime and other Internet-security topics.

“It’s not clear how many cards thieves may have stolen in the breach,” Krebs posted Wednesday. But citing sources “from two major card issuers,” he wrote that “more than one million” cards from both issuers “were thought to have been compromised in the breach.” Krebs did not identify the card companies.

Representatives for Visa and MasterCard could not be reached for comment.

The Wall Street Journal separately reported Wednesday that the breach “happened in stores, not online, and may have involved tampering with the machines that customers use to swipe their cards when making purchases.” It sourced its report to “people familiar with the matter.”

“Presuming this is all true, it’s probably one of the most serious things you can have happen, because it affects not only your store operations, it affects the lives and financial security of your customers,” said Jim McComb, a Twin Cities retail analyst.

Two years ago, McComb was involved in a similar security breach with a different retailer.

“When you’ve got this breakdown in the system, the cards have to be cancelled,” McComb said. “And the consumer has to get a new card. In many cases, companies provide credit monitoring for the cardholder.”

The big worry is concern about any stolen data, McComb said. But there’s also the hassle of losing access to a credit or debit card during the busiest shopping week of the year.

Norville, the American Express spokeswoman, said that customers “are not liable for any sort of credit card fraud,” but did urge shoppers to keep an eye on their charges, and alert American Express if they see anything suspicious.